This is expected, otherwise the policy would be 'permit everything'. To me, it seems the problem is a combination is:

- To complex configuration, with policy compilers, etc.

- The use of file labeling to control access to file objects.

- SELinux as a whole is binary: either it is on or off. You can't run a specific program as unconfined, generate a policy from the errors, and enable it after a while.

AppArmor might be slightly weaker, but its profiles are much easier to write, file permissions are part of the configuration policy, and you can run specific programs in warnings-only mode for a while and generate a policy from the access violations.

SELinux always left me frustrated. AppArmor has mostly been a walk in the park.